kosmos/chef
kosmos
/
chef
8
3
Fork 0
Code Issues 34 Pull Requests 2 Projects 1 Activity

Set the ACIs on the base DN 

Allow users to change their own password, but nothing else (no search,
no read, no write)

This will only run when setting up the 389-dirsrv instance for the first
time, this has been applied on barnard by editing the dn (see
#128 (comment))

Closes #128
This commit is contained in:
Greg 2020-02-12 16:13:45 +01:00
parent 396cc344fb
commit e56faab5b1
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
site-cookbooks/kosmos-dirsrv/files/users.ldif
View File

@ -2,3 +2,5 @@ dn: ou=users,dc=kosmos,dc=org
objectClass: top
objectClass: organizationalUnit
ou: users
aci: (target="ldap:///dc=kosmos,dc=org") (version 3.0; acl "user-deny-all"; deny (all) userdn="ldap:///dc=kosmos,dc=org";)
aci: (target="ldap:///dc=kosmos,dc=org")(targetattr="userPassword") (version 3.0; acl "user-write-own-password"; allow (write) userdn="ldap:///self";)

2
site-cookbooks/kosmos-dirsrv/metadata.rb
View File

@ -4,7 +4,7 @@ maintainer_email 'mail@kosmos.org'
license 'MIT'
description 'Installs/Configures 389 Directory Server'
long_description 'Installs/Configures 389 Directory Server'
version '0.1.1'
version '0.1.2'
chef_version '>= 14.0'
depends "firewall"